avoid-pyyaml-load
yaml.unsafe_load
, yaml.Loader
, yaml.CLoader
, and yaml.UnsafeLoader
are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use yaml.safe_load
or yaml.SafeLoader
instead.avoid-jsonpickle
jsonpickle
, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using json
module.avoid-unsafe-ruamel
ruamel.yaml.YAML()
. ruamel.yaml.YAML
can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use YAML(typ='rt')
or YAML(typ='safe')
instead.avoid-pickle
pickle
, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.avoid-cPickle
cPickle
, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.avoid-dill
dill
, which uses pickle
, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.avoid-shelve
shelve
, which uses pickle
, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.